As of yesterday May 3, Google now supports adding Passkeys to your account.

The full blog post is worth a read, but the highlights of why someone would prefer a Passkey over a Password are:

  1. Unlike passwords, passkeys can only exist on your devices. Bad actors cannot steal information that you are incapable of giving to them. Great way to stop phishing attacks where users are tricked into giving up their passwords.
  2. Passkeys are so secure that we don’t need to do 2FA/MFA as a second step during sign in. This means no more typing in 6 digit codes, or paying $25-75 for a Yubikey you have to tap on during sign in.
  3. Passkeys are underpinned by the same technology the world uses to sign in to other critical things, like the servers that power Facebook or Google. Private/public key pairs are very, very secure.

This means: eliminated risk of phishing, simpler sign in process, using the best practice approach to sign in security.

Two big things worth noting for now.

Passkeys are an additional authentication measure you can add to your Google account. You don’t have to add one, and adding one will not replace your password. At some point in the future I imagine Google will phase out the ability to use a password, at which point users will only be using passkeys to sign in.

Users of Apple devices need only create a Passkey on one device, and it will sync across all other devices logged in to the same iCloud account. I created my Google Passkey on my MacBook Pro, and it immediately appeared on my iPhone. Other manufacturers (Android, Microsoft/Windows) should support these sync features, too!